Oracle Accused of Downplaying Database Flaws, Severity

Security experts accused Oracle of not paying attention to its flagship database software and underreporting the severity of a "fundamental" flaw.

Even
as Oracle fixed numerous flaws across multiple products in January's Critical
Patch Update, security experts criticized the company for the low number of
database fixes and claimed the company is downplaying the severity of a flaw in
its flagship relational database.
Only
two patches were for the Oracle Database out of the 78 security fixes in the
January update, which also covered the Oracle Fusion Middleware, Oracle
e-Business Suite, Oracle Supply Chain, Oracle PeopleSoft, Oracle JDEdwards,
Oracle Sun products, Oracle Virtualization and Oracle MySQL, the company said
in its CPU advisory released Jan. 17.

"Either
the database server has reached an amazing maturity in terms of security or
Oracle did not have enough resources to include more fixes into the
process," Amichai Shulman, CTO of Imperva, told eWEEK.

As
Oracle expands its product portfolio and increases the total number of products
patched through the quarterly CPU, there appears to be a "bottleneck"
in Oracle's patching process, Shulman said. This CPU was the first time Oracle
included the open-source MySQL database, which it acquired in 2010 as part of
the Sun Microsystems acquisition.
While
MySQL accounted for a whopping 27 fixes, the overall number of vulnerabilities
in the CPU remained consistent with previous releases, according to Shulman.
"If you were to introduce a new product, there should be more
vulnerabilities in the CPU," he said.
The
low number of Oracle database fixes is most likely a sign of Oracle shifting
its focus and "de-emphasizing" the entire database line, Alex
Rothacker, director of security research at Application Security's TeamSHATTER,
told eWEEK. Oracle has been
consistently decreasing the number of database-related fixes in its CPU since
January 2010, shortly after the Sun deal closed, he said. The company released
only 34 fixes for Oracle Database Server in all of 2011.
Of
the nine reported vulnerabilities TeamSHATTER has open with Oracle, several of
them are "at least as severe as those that were fixed in this CPU,"
Rothacker said.
Oracle
claimed there were fewer issues to fix in its software. The Oracle Database
Server code has "matured," and many of the vulnerabilities have been
weeded out, Eric Maurice, director of Oracle's security assurance program,
wrote in the Oracle Software Security Assurance blog on Dec. 15.
Oracle
has also introduced a secure coding initiative, similar to Microsoft's Security
Development Lifecycle, which has resulted in fewer bugs in new code, according
to Maurice.